Using stunnel as proxy between SSL versions for SMTP with STARTTLS

Question

I have a quite old software which doesn't support TLS 1.2. However SMTP Server only supports TLS 1.2.

Now I wanted to use stunnel to connect to SMTP server and and also listening for smtp access. I have already a valid certificate for this server. Before configuring different TLS versions I only wanted to test if this "stunnel proxy" works in general. I use Thunderbird to connect to :587 In [TLS_proxy_connector] and [TLS_proxy_listener] I have protocol = smtp. I've tried to comment them out in one or both sections. However I get an immediate error or some kind of timeout and Thunderbird can't sent the E-Mail.

Here is the stunnel config:

setuid = stunnel4
setgid = stunnel4

foreground = yes
;don't write pid
pid =


[TLS_proxy_connector]
client = yes
accept = 127.0.0.1:53681
protocol = smtp
connect = <mailserver>:587
verify = 2
CApath = /etc/ssl/certs/
checkHost = <mailserver>
;OCSPaia = yes

[TLS_proxy_listener]
accept = 587
protocol = smtp
key = /etc/ssl/private/key.pem
cert = /etc/ssl/certs/cert_.pem
CAfile = /etc/ssl/certs/chain_.pem
connect = 53681

What am I doing wrong? Is there another tool which fits better here? I know I could setup an own mailserver which accepts TLS 1.0 and 1.1 and uses as smarthost, but that would be too much, because then I have to care about security. Currently checks security because you're only allowed to send with valid credentials. Thanks for your help.

Update: It works with above configuration when both entrys have protocol = smtp. I'll add more info when further tests have been done regarding TLS versions.

Answer 1

Above configuration is correct for proxying different TLS versions. There is no need to configure anything special for SSL/TLS within stunnel.

stunnel -version
stunnel 5.30 on x86_64-pc-linux-gnu platform

This version is default on debian 10 when you install via sudo apt install stunnel.

testssl.sh output of original server

 Testing protocols via sockets

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 SPDY/NPN   (SPDY is an HTTP protocol and thus not tested here)
 HTTP2/ALPN (HTTP/2 is a HTTP protocol and thus not tested here)

testssl.sh output of proxied port via stunnel

 Testing protocols via sockets

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 SPDY/NPN   (SPDY is an HTTP protocol and thus not tested here)
 HTTP2/ALPN (HTTP/2 is a HTTP protocol and thus not tested here)

Notice: Using TLS 1 and 1.1 is usally a bad idea, since both protocols have security flaws, see for example https://www.venafi.com/blog/why-its-dangerous-use-outdated-tls-security-protocols In this case this TLS proxied port will be only available in internal network and will be never exposed to internet, so it is ok to use this hack until this old software without TLS 1.2 support gets replaced.